How to route multiple client subnets through Wag VPN in Docker?

[martinmafka]

Hi,

I’m testing Wag installed in Docker following the guide, and I’m struggling to get routing working between multiple site-to-site VPNs and client subnets.

Setup example:

Wag VPN server: 172.16.200.1/24

Site 1 behind a Mikrotik VPN client: 172.16.200.10/24 → subnet 192.168.10.0/24

Site 2 behind a Mikrotik VPN client: 172.16.200.20/24 → subnet 192.168.20.0/24

Site 3 behind a Mikrotik VPN client: 172.16.200.30/24 → subnet 192.168.30.0/24

VPN clients: 172.16.200.100-150

Goal:

Subnets 192.168.10.0/24 – 192.168.30.0/24 should be able to communicate with each other.

VPN clients 172.16.200.100-150 should be able to access all site subnets.

Current Wag config (simplified):

{
    "NAT": true,
    "Webserver": {
        "Lockout": 5,
        "Tunnel": {
            "Domain": "domain.com",
            "Port": "8080",
            "MaxSessionLifetimeMinutes": 480,
            "SessionInactivityTimeoutMinutes": 60,
            "HelpMail": "test@domain.com",
            "DefaultMethod": "totp",
            "Issuer": "WireguardVPN",
            "Methods": [
                "totp"
            ]
        },
        "Public": {
            "ListenAddress": ":8081",
            "ExternalAddress": "IPv4",
            "DownloadConfigFileName": "wg0.conf"
        },
        "Management": {
            "Enabled": true,
            "ListenAddress": ":4433",
            "Password": {
                "Enabled": true
            }
        }
    },
    "Clustering": {
        "ClusterState": "new",
        "DatabaseLocation": "/data",
        "ETCDLogLevel": "error",
        "ListenAddresses": [
            "https://127.0.0.1:2380"
        ],
        "TLSManagerListenURL": "https://127.0.0.1:3434",
        "TLSManagerStorage": "/data/"
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 53230,
        "PrivateKey": "privateKEY",
        "Address": "172.16.200.1/24",
        "ServerPersistentKeepAlive": 0
    }
}

For one client configuration on WAG, the following ACL is configured:
{ "Allow": [ "172.16.200.0/24", "172.16.200.1/32", "192.168.10.0/24" ] }
However, I cannot ping the network 192.168.10.0/24. On the MikroTik side, the routing and firewall should be configured correctly. From none of the clients I am able to ping the WireGuard server IP 172.16.200.1. After switching "NAT" from true to false, I am able to ping peers on 172.16.200.0/24, but the LAN subnets behind the peers are still unreachable.

I have tried setting up IP forwarding and static routes on the Droplet where Wag is running, as well as iptables rules, but without success. Previously, I ran only WireGuard, and routing between the subnets worked correctly with similar rules.

Could you please advise how to properly configure Wag, Docker, and routing so that:

All three site subnets can communicate with each other.

VPN clients can access the site subnets.

If you need any additional information about my setup, I can provide it.

Thanks a lot for your help!

Martin